In cybersecurity the border between ethical hacking and regular hacking is often thin. SIPVicious is a perfect example of this phenomenon : made for security professionals, it is also widely used by criminals to identify and exploit SIP networks vulnerabilities. Let’s discover how it is used by both parts.
Table of Contents
What is SIPVicious ?
SIPVicious is a suite of hacking tools dedicated to vulnerability scanning on VoIP networks. It is developed by the company Enable Security offering a wide range of services like security audits or training to protect RTC and SIP networks.
SIPVicious is an “offensive security tool” : it has an adversarial approach and is mainly used in pentest operations.
SIPVicious is an open-source tool suite, its code can be downloaded on the Enable Security’s github.
Offensive pentest tools
SIPVicious is composed of 5 tools :
Svmap is a SIP scanner, it is used to identify SIP servers : when deployed on a target IP address svmap can list SIP devices and PBX servers. It can be used for network listing/inventory to complete the catalog of the network’s components.
Svwar allows users to discover the active extensions on a target PBX server. It says if the extension is registered or non-registered and if it needs authentication or not.
Svcrack is used to crack passwords of the central server or registrar. It has to be combined with wordlists or numberlists: it is a brute force sip tool.
Svreport lets users display all the scans made with svmap and svwar and export them to stdout, pdf, xml, csv or txt. User can also delete any scan, display statistics and search for a given string in the user agent.
Svcrash is a response tool to protect sip networks against svwar and svcrack requests. It blocks SIP floods made by attackers using svwar.
SIPVicious requirements
Operating systems
SIPVicious can be launched on Linux, MacOs and Windows. It can also be used on the Docker platform.
Also SIPVicious is made of Python scripts so you will need to install the Python compiler on your computer.
Hardware
The software doesn’t require a lot of resources, a 512MB Memory hardware is enough to run sip vicious. The only limitation for small resources computers concerns the SIP flooding feature : the intensity of the attack will depend on the ressources of your machine.
How is SIPVicious used?
SIP pentest
SIPVicious is mainly used by ethical hackers for security audits of SIP based VoIP systems. During penetration testing operations, IT professionals are scanning the network and attempting to crack sip accounts. These simulated cyberattacks allow companies to know their network vulnerabilities and weaknesses.
SIPVicious attack
Many hackers use SIPVicious to perform reconnaissance and gather information about IP/VoIP phones and PBX systems.
Friendly scanner/SIP DDoS
Like every tool that can be distorted from its initial purpose, sip vicious is often used to perform real hacks.
A lot of companies and security professionals are reporting Sip floods made with sipvicious tools.
This type of attacks named “friendly scanner” are often coming from User-Agent property containing “sipvicious”. This friendly scanner can cause a DDoS situation and paralyze a whole telephone infrastructure.
Brute force
The bruteforce attack module in SIPVicious (svcrack) can be used to brute force SIP credentials. This module will try to guess the SIP username and password by making multiple authentication attempts. When the password is cracked the attacker can perform a wide variety of hacks like toll-fraud.
Replay attack
A replay attack is when an attacker captures a valid request and then replays it at a later time. This can be used to perform actions that the attacker wants or to bypass security controls.
As many SIP devices allow nonce (cryptographic hash number) reusing, attackers just need to intercept it and replay it to gain access to a device or an extension.
The replay attack command (“reusenonce”) in sipvicious can be used to replay previously recorded SIP requests. This can be used to replay a call or to replay a request that will cause the server to perform an action that the attacker wants.
Protection against SIPVicious
There are some measures that can be taken to protect your network from “friendly scanner” attacks.
- Some user agent are known to be associated with the exploit
| sipcli | Gulp |
| sipvicious | sipv |
| sip-scan | smap |
| sipsak | friendly-request |
| sundayddr | VaxIPUserAgent |
| friendly-scanner | VaxSIPUserAgent |
| iWar | siparmyknife |
| CSipSimple | Test Agent |
| SIVuS |
- When several failed register attempts are noticed you can temporarily ban the IP address associated. To do so you just have to block the IP address on the Access control list (ACL) of your session border controller.
The complete list of recommendations can be found on the Kolmisoft blog.
Is sip vicious legal ?
The use of SIP vicious is strictly reserved to audit operations, specifically pen test operations. The conditions of a pen test operation must figure in a contract between the hacker and the company.
Any use of these tools outside of this type of agrement goes against the law.
It is possible to try and use sip vicious on your local network.
